Cyware Daily Threat Intelligence
Daily Threat Briefing • Mar 13, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Mar 13, 2024
Two new data-stealing malware were spotted in the last 24 hours. One of them is identified as VCURMS RAT, which was distributed alongside STRRAT to harvest secrets from systems, apps, and browsers. The second one, identified as Tweaks, was used to infect and steal information from Roblox users. In another incident, researchers noticed advancements in FakeBat malvertising campaigns - a shift from repeatedly impersonating the same software brands.
For Patch Tuesday, security fixes and advisories poured in large numbers from several organizations. While Siemens and Schneider Electric rolled out security patches for over 200 vulnerabilities impacting their products, Microsoft issued fixes that addressed 61 flaws in Windows, Azure, Skype for Consumer, Microsoft Defender, and Microsoft Office.
Stanford university’s update on ransomware attack
Stanford University confirmed that the personal information of over 27,000 people was impacted by an Akira ransomware attack last year. The impacted data varies from person to person and includes dates of birth, SSNs, government IDs, passport numbers, and driver’s license numbers. Additionally, some people’s biometric data, medical information, digital signatures, and credit card information were also stolen in the attack. As per the statement by the university, the attackers had gained access to the data through a system used by the Department of Public Safety between May 12 and September 27, 2023.
Acer Philippines data leaked
Acer confirmed that its employee’s attendance data in the Philippines was stolen in a third-party vendor breach and leaked on a hacking forum. A threat actor named ‘ph1ns’ published the link to the stolen database for free on the hacking forum, indicating that anyone can easily download and access the data. The company has notified the National Privacy Commission and the Cybercrime Investigation and Coordination Center and an investigation is underway.
**Meson service compromised **
A malicious campaign targeting the blockchain-based Meson service ahead of a crypto token unlock on March 15 was discovered by Sysdig Threat Research Team. The attacker exploited CVE-2021-3129 in a Laravel application and WordPress misconfigurations to gain initial access, swiftly creating 6000 Meson Network nodes using a compromised cloud account. Automated reconnaissance and privilege exploitation led to the spawning of EC2 instances across regions, culminating in significant costs for the account owner due to the execution of the meson_cdn binary.
Kids Empire’s database exposed
A database containing 2,363,222 documents in PDF and PNG formats, totaling 92.3 GB, was publicly exposed, exposing reservations, injury waivers, receipts, and digital gift cards. Personally identifiable information (PII) including names, addresses, phone numbers, and credit card details were compromised, potentially affecting customers across Kids Empire's 68 locations in 18 states. Despite a responsible disclosure notice, the data remained accessible for at least three weeks, raising concerns about the extent of exposure and potential unauthorized access.
Millions of tokens and keys leaked
Developers inadvertently leaked 12.8 million secrets on public GitHub repositories in 2023, which is a 28% increase from the previous year. Three million of the leaked secrets included Google API keys, MongoDB credentials, OpenWeatherMap tokens, Telegram bot tokens, Google Cloud keys, and AWS IAM keys. The IT sector accounted for 65.9% of the total secrets leaked, followed by education, science and technology, retail, and manufacturing.
New VCURMS RAT
A new malware called VCURMS RAT was found being distributed alongside STRRAT in a phishing campaign that targeted Java-based platforms. The campaign leveraged phishing emails, urging recipients to click a button to verify payment information. Subsequently, a harmful JAR file hosted on AWS is downloaded, which deploys the RATs. The ultimate goal of VCURMS RAT is to pilfer system information as well as secrets from popular apps and browsers.
New Tweaks info-stealer spotted
Attackers exploited YouTube and Discord to infect Roblox users with a new info-stealer named Tweak. Based on PowerShell, the malware masquerades as a tool to enhance frames per second for Roblox users. Once executed, it exfiltrates sensitive data like user information, location, Wi-Fi profiles, passwords, Roblox IDs, and in-game currency details. The stolen data is sent via a Discord webhook to an attacker-controlled server.
Microsoft fixes 61 flaws
Microsoft has rolled out security patches for 61 vulnerabilities as part of the March 2024 Patch Tuesday update. Twenty-four of these are privilege escalation issues and another 18 are RCE flaws. Security feature bypass, information disclosure, DoS, and spoofing are among the other vulnerabilities that received patches this month. The impacted products include Windows, Azure, Skype for Consumer, Microsoft Defender, and Microsoft Office, among others.
Siemens and Schneider Electric issue advisories
Siemens and Schneider Electric issued security advisories for more than 200 vulnerabilities affecting their products. A total of 214 vulnerabilities were fixed by Siemens, with 157 of them impacting the Simatic RF160B mobile reader. Other impacted products from Siemens include Sentron, Solid Edge, Siveillance Control, Sinema Remote Connect Client, and Scalance X. Schneider Electric published two advisories for multiple flaws affecting Easergy T200 RTUs, EcoStruxure Power Design – Ecodial, and PowerLogic T300 products.
Fortinet patches critical flaws
Fortinet released patches for critical code execution vulnerabilities in FortiOS, FortiProxy, and FortiClientEMS. One of these flaws (CVE-2023-42789) is an out-of-bounds write issue in FortiOS and FortiProxy that can allow attackers to execute code via specially crafted HTTP requests. Another critical flaw (CVE-2023-48788) is an SQL injection issue in FortiClientEMS. Other flaws include an authorization bypass in FortiOS and FortiProxy, a CSV injection in the log download feature of FortiClientEMS, and an improper access control in FortiWLM MEA for FortiManager. Users are advised to apply recommended patches to stay safe.
SAP issues security notes
SAP warned about the risk of command injection attacks as it released 10 new and two updated security notes for vulnerabilities impacting its products. Two of these flaws are code injection vulnerabilities, CVE-2019-10744 and CVE-2024-22127, affecting SAP Build Apps and SAP NetWeaver AS Java, respectively. Other impacted products include SAP NetWeaver AS ABAP applications, SAP HANA Database, SAP NetWeaver Process Integration, and SAP ABAP Platform.
FakeBat spreads via malvertising
FakeBat malvertising campaigns are evolving to use new redirectors and leverage legitimate websites to bypass security checks, making them harder to detect. The latest wave of FakeBat malvertising is targeting a diverse range of brands, indicating a shift from repeatedly impersonating the same software brands. the latest campaigns exhibited diversity in the targeted brands, such as OneNote, Epic Games, and Ginger.